oauth2.dev

insufficient_scope

IETF

Registry Context

Use insufficient_scope when a protected resource request requires higher privileges than the access token provides.

Technical Summary

RFC 6750 defines insufficient_scope as a bearer-token error code indicating that the access token does not provide the privileges required by the request.

When Used

When a protected resource request requires higher privileges than the presented access token provides.

Normative Requirements

Resource servers

MUST NOT
4
  1. RFC 6750 - Section 3

    include the "scope" attribute more than once.

    Condition: when including the "scope" attribute in the challenge

    The "scope" attribute MUST NOT appear more than once.

  2. RFC 6750 - Section 3

    include characters outside %x21 / %x23-5B / %x5D-7E for scope values or %x20 for delimiters.

    Condition: when including a "scope" attribute

    Values for the "scope" attribute ... MUST NOT include characters outside the set %x21 / %x23-5B / %x5D-7E ... and %x20 for delimiters

  3. RFC 6750 - Section 3

    include the "error" attribute more than once.

    Condition: when including the insufficient_scope error in the challenge

    The "error" ... attribute MUST NOT appear more than once.

  4. RFC 6750 - Section 3

    include characters outside %x20-21 / %x23-5B / %x5D-7E in the "error" attribute value.

    Condition: when including the insufficient_scope error in the challenge

    Values for the "error" ... attributes ... MUST NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E.

MUST
3
  1. RFC 6750 - Section 3

    include the HTTP "WWW-Authenticate" response header field.

    Condition: when the protected resource request does not contain an access token that enables access to the protected resource

    the resource server MUST include the HTTP "WWW-Authenticate" response header field

  2. RFC 6750 - Section 3

    use the auth-scheme value "Bearer" for the challenge.

    Condition: when issuing a challenge defined by RFC 6750

    All challenges defined by this specification MUST use the auth-scheme value "Bearer".

  3. RFC 6750 - Section 3

    follow the "Bearer" auth-scheme with one or more auth-param values.

    Condition: when issuing a Bearer challenge

    This scheme MUST be followed by one or more auth-param values.

SHOULD
1
  1. RFC 6750 - Section 3.1

    respond with the HTTP 403 (Forbidden) status code.

    Condition: when the request requires higher privileges than the access token provides

    The resource server SHOULD respond with the HTTP 403 (Forbidden) status code

MAY
1
  1. RFC 6750 - Section 3.1

    include the "scope" attribute with the scope necessary to access the protected resource.

    Condition: when the request requires higher privileges than the access token provides

    MAY include the "scope" attribute with the scope necessary to access the protected resource

Validation Guidance

error

Confirm the response includes a WWW-Authenticate header when the presented access token does not enable access to the protected resource.

error

Confirm the challenge uses the Bearer auth-scheme followed by at least one auth-param.

warning

If insufficient_scope is emitted, confirm the response status is 403; report a non-403 status as a SHOULD-level deviation.

warning

If a scope attribute is present, confirm it identifies the scope necessary to access the protected resource.

error

Confirm the scope attribute appears no more than once and contains only the permitted characters.

error

Confirm the error attribute appears no more than once and its value contains only the permitted characters.

Reference

Details

Entry Id
insufficient_scope
Name
insufficient_scope
Usage Location
resource access error response
Protocol Extension
bearer access token type
Change Controller
IETF
Reference
RFC6750